Skip to main content

☑️ Prevent containers from having unnecessary system call privileges

Seccomp is a mechanism to restrict the actions available within the container by restricting system calls that a process could make. The seccomp profile of a container is set within its securityContext, and can be set at pod level or at container level.
Running containers/Pods with the seccomp profile unconfined means one less isolation layer to protect your cluster. This is advised against by the security community, as it can give attackers dangerous privileges.
No container in your cluster should run unconfined, especially in production environments.

In Kubernetes versions earlier than 1.24, the default seccomp profile of containers is unconfined, which means that all pods that do not specify a seccomp profile will be susceptible to this threat.

Targeted resources by this rule (types of kind): Deployment / Pod / DaemonSet / StatefulSet / ReplicaSet / CronJob / Job

Enabled by default? False

Policy as code identifier: CONTAINERS_INCORRECT_SECCOMP_PROFILE


This rule will fail

If a seccompProfile is not configured, or has a type other than Localhost or RuntimeDefault:

spec:
securityContext:
seccompProfile:
type: Unconfined

Rule output in the CLI

$ datree test *.yaml

>> File: failExample.yaml
❌ Prevent containers from having unnecessary system call privileges [1 occurrence]
💡 Incorrect value for key `seccompProfile` - set an explicit value to prevent malicious use of system calls within the container

How to fix this failure

Set the seccompProfile type to Localhost or RuntimeDefault:

spec:
securityContext:
seccompProfile:
type: RuntimeDefault

Read more